Remote Desktop Protocol (RDP) brute force attacks remain a persistent threat to network security. Understanding how to effectively utilize your security infrastructure to combat these attacks is crucial. In this article, we delve into the specifics of leveraging Palo Alto Networks firewall signatures as a robust Brute Force Scan Tool, offering insights into tuning and optimizing these features for maximum protection.
The Palo Alto Networks firewall incorporates signatures designed to detect and mitigate brute force attempts, specifically targeting protocols like RDP. One key signature is the “MS-RDP Brute Force Attempt” signature. By default, this signature, identified as Vulnerability Protection signature ID 33020 (Microsoft remote desktop connect initial attempt), triggers when it detects 8 initial connection attempts within a 100-second timeframe. It’s important to note that signature ID 33020 is set to informational severity with a default action of ‘allow’. This means to actively monitor for these attempts, you must change the action to ‘alert’ to ensure these events are logged in your threat logs.
A screenshot from Palo Alto Networks firewall interface highlighting MS-RDP Brute Force signatures 40021 and 40026, emphasizing the necessity to change the action to ‘Block-IP’ for enhanced security against brute-force attacks.
Further enhancing your defenses, Palo Alto Networks provides two additional MS-RDP Brute Force signatures, 40021 and 40026. For optimal security, it is strongly recommended to modify the action for these signatures to ‘Block-IP’. This proactive measure can significantly reduce the risk of successful brute force attacks.
To understand the detection mechanism, it’s vital to recognize how signature 33020 operates. Each TCP connection made to the RDP server triggers this signature. Importantly, a single TCP connection allows for multiple password attempts, approximately three, before disconnection. Therefore, if a connection is established, three incorrect passwords are tried, and disconnection occurs, it is logged as a single occurrence of signature 33020. The signature detection is per session or connection, not per individual password attempt.
Considering the default settings, to trigger the brute force signature, a considerable number of attempts might be necessary. Potentially, up to 24 password attempts (3 passwords per session * 8 TCP sessions) within 100 seconds could occur before the signature is activated under default conditions.
For effective troubleshooting and enhanced security posture, consider these adjustments:
- Modify signature 33020 behavior to ‘alert’. This ensures immediate logging of initial RDP connection attempts, providing valuable visibility into potential brute force scanning activity.
- Adjust the timing for signatures 40021 and 40026 to ‘Number of Hits = 3 within 100 seconds’. This more aggressive setting makes your brute force scan tool more responsive and quicker to react to attack patterns.
Properly configured, these signatures become a potent brute force scan tool. A real-world example underscores this effectiveness. During a Palo Alto Networks firewall deployment at a university border, initial monitoring in ‘alert’ only mode revealed a staggering 130,000 MS-RDP brute force attempts in a single day. This volume equated to approximately 1 million connections (8 TCP sessions per attempt 130k occurrences), translating to a potential 3 million password attempts daily (1 million connections 3 passwords per connection).
Upon switching the action to ‘block-ip’ for 300 seconds (5 minutes), the impact was immediate and dramatic. The very next day, the number of RDP brute force occurrences plummeted to less than 2,000, a significant reduction from 130,000. Further increasing the block-ip duration to 3600 seconds (1 hour) would likely have reduced daily occurrences even further, potentially into the low hundreds, demonstrating the powerful impact of a well-tuned brute force scan tool.
In conclusion, Palo Alto Networks firewall signatures, when appropriately configured and tuned, serve as an invaluable brute force scan tool for protecting against RDP attacks. However, careful tuning is essential to prevent blocking legitimate user traffic. Establish clear processes for unblocking legitimate users and regularly review and adjust your settings to maintain a robust and user-friendly security posture. By understanding and optimizing these signatures, you can significantly enhance your network’s resilience against brute force threats.
